Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Gold Malware infected my computer


  • Please log in to reply
1 reply to this topic

#1 Eleasha

Eleasha

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 19 July 2005 - 08:29 AM

Hello I got infected with the antivirus gold on my laptop 4 days ago and I have been trying to find out how to fix it to no avail. I am posting my HJT log for review. Can someone please help me? I am at my wits end with this!!

thanks!!

Eleasha



-----------------
Logfile of HijackThis v1.99.1
Scan saved at 3:09:28 AM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {8757DCF3-EDCB-AF1D-2A96-1BA99BF8F486} - C:\WINDOWS\sdkza.dll
O2 - BHO: Class - {A91EF599-5AF3-83C2-86F7-5C9793216040} - C:\WINDOWS\atlmu32.dll
O2 - BHO: Class - {E2FF6CD4-8C87-9B6D-3707-80D3C44B04E0} - C:\WINDOWS\apivj32.dll
O2 - BHO: Class - {F813BE06-EC76-A5FE-DD49-14847AD19AAC} - C:\WINDOWS\system32\mfchk32.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [crsr.exe] C:\WINDOWS\system32\crsr.exe
O4 - HKLM\..\RunOnce: [sysfu32.exe] C:\WINDOWS\sysfu32.exe
O4 - HKLM\..\RunOnce: [appgx32.exe] C:\WINDOWS\appgx32.exe
O4 - HKLM\..\RunOnce: [sdkxw32.exe] C:\WINDOWS\system32\sdkxw32.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\apiuf.exe
O4 - HKLM\..\RunOnce: [sysza.exe] C:\WINDOWS\sysza.exe
O4 - HKLM\..\RunOnce: [sysvp32.exe] C:\WINDOWS\system32\sysvp32.exe
O4 - HKLM\..\RunOnce: [apivj32.exe] C:\WINDOWS\apivj32.exe
O4 - HKLM\..\RunOnce: [winbd32.exe] C:\WINDOWS\system32\winbd32.exe
O4 - HKLM\..\RunOnce: [msod.exe] C:\WINDOWS\system32\msod.exe
O4 - HKLM\..\RunOnce: [nttf32.exe] C:\WINDOWS\nttf32.exe
O4 - HKLM\..\RunOnce: [AOLToolbarDirRemoval] cmd.exe /C rd "C:\Program Files\AOL Toolbar"
O4 - HKLM\..\RunOnce: [1] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Owner\LOCALS~1\Temp\AcsUninstall.exe"
O4 - HKLM\..\RunOnce: [2] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Owner\LOCALS~1\Temp\AcsUninstallRes.dll"
O4 - HKLM\..\RunOnce: [3] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Owner\LOCALS~1\Temp\shfolder.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\sysfu32.exe" /s (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

BC AdBot (Login to Remove)

 


m

#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 21 July 2005 - 02:52 PM

Hi Eleasha.

I don't see antivirus gold in your log, but you do have an aboutblank hijacker.
This one tends to change file names and the bad service it installs currently shows the file missing. It may have been replaced by now.
Please scan with hijackthis and post a fresh log.
I will be notified of your reply and we can start the clean up.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users